1. Field of the Invention
The invention relates to a method for checking the integrity of data transmitted. More closely the invention relates to a method for checking the integrity of data transmitted with an out-of-band check code.
2. Description of Related Art
Data transmission through different kinds of networks is increasing very rapidly. As a result, more and more private and secret data is transferred through the networks. This kind of data is for example credit card numbers and such. It is very important to be sure that data or a message received is from a correct sender. In addition, it is very important to be sure that nobody has changed the data in the transmission path so that the correct information is transmitted to the recipient.
Many times data is meant for devices connected to a network for controlling the operation of the devices. These kinds of devices can for example be network elements and terminals. Especially, in many cases it is necessary to distribute so called bootstrap information to network devices. Here the bootstrap information means data, which is used for bringing a certain system into a desired state for a certain operation. This kind of information is for example provisioned data, which contain information relating to network operation, like server addresses and Certification Authority certificates. When transmitting this kind of information the security becomes very important. If a person not entitled to the information changes the data and forwards it to the terminal, the consequences can be serious in the network. When transmitting this kind of information it is also very important to be sure that data is correct.
Generally, the requirements from a security point of view are that the data comes from a correct sender and that the data has not been changed in the transmission path, as said earlier. Usually, a term is used to verify the authenticity to represent the verification of the sender and a term integrity to represent if the message or data has been changed in the transmission path or not. These terms are also used in the following parts of this description.
Different kinds of methods have been developed to transmit data in a secure way from the sender to the recipient. Almost without exception these methods are always based on algorithms, which are used for encrypting and decrypting the message so that only the correct sender and the correct recipient are able to find out the content of the message. Many times these algorithms are based on so called private and public key pair method. In this method the sender creates both of the keys and delivers the public key to persons concerned. The private key is kept secret from everybody. A message, which is encrypted with a public key, is possible to decrypt only with a corresponding private key.
Different other kinds of methods have been developed as well to achieve a needed security in data transmission. If we consider for example provisioning of the bootstrap type data, especially over the air, as in mobile telecommunication, a MAC (Message Authentication Code) based verification method has been proposed. In the MAC based verification method a MAC code is appended to the message. Typically MAC is a string of bits, which depends in some specified way on the message to which it is to be appended and on a secret key known both by the sender and by the recipient of the message. The code to be appended to the message can for example be a block, which is formed with a Secure Hash Algorithm (SHA). The combination of the message and the MAC code is transmitted through an unreliable channel. By the term unreliable channel it is meant a channel, which is not secure for data transmission because anyone can monitor the data sent through the transmission path. For decrypting the received data a MAC key is also delivered to the recipient. Advantageously, the MAC key is delivered through an out-of-band channel and it is based on a user input. In a typical situation the user input is a password.
This kind of MAC based verification method has a problem that if the password is not long enough, it can be processed from the combination of the message and the MAC code by means of computer by an attacker. A possible way to do this is to try all possible passwords until one is found with which the calculated MAC code based on the password and the MAC code transmitted along with the message match with each other. When the password is found the attacker can generate a new message, which will be successfully verified by the recipient. If the original data is changed and the new data is used for original purposes, it can cause serious consequences.
To minimize the risk that an attacker finds out the password the length of the password can be increased. If the number of bits in the password is big enough it takes a longer time to find out the MAC code and the objective is that it takes too long a time to find out the content of the message and change it.
Another problem in the MAC based verification method, especially applied in the bootstrap information type data, is that in many cases the bootstrap information is global (e.g. provisioning addresses, Certification Authority certificate), but the MAC code requires that the message is personalized, because of the passwords.
One method in practice, which is used for checking the validity of certification authority certificates, is to display a fingerprint, like a complete hash code, of the Certification Authority certificates and ask the user to check it. The user can check the displayed fingerprint by comparing it to a certificate, which is gotten from a newspaper or from the Internet or such. This method is quite secure in principle, but requires activity from the user.